ISO 27002 2013 to 2022 mapping

On February 15th, the International Organization for Standardization (ISO), published the latest update to “ISO/IEC 27002 Information security, cybersecurity and privacy protection — Information security controls”. This latest standard is available for personal use from their site on ISO.org for CHF 198 (Swiss Francs) or, if you prefer, US dollars, $200, at the ANSI.org webstore. I’ll also simply refer to it as ISO 27002 as most people do.

I’ve been working with ISO 27002 controls since the 2005 version. It’s always interesting to see the changes that are made and what I need to be adjusting to adhere to the framework. Unfortunately, this also means that many organizations’ policies and procedures have to be updated. ISO 27002:2013 was mostly the same as the 2005 version, except it removed the controls around Risk Assessment and Treatment. This time, the changes are much more drastic to align and these changes are, in short:

• ISO 27002:2013 had 114 controls over 14 control domains
• ISO 27002:2022 reorganized this into 93 controls with a taxonomy of 4 primary categories (referred to as clauses):

1. Organizational Controls – 37 controls
   • The catchall clause
2. People Controls – 8 controls
   • These deal with individual people, such as background checks
3. Physical Controls – 14 controls
   • These refer to physical objects, such as data centers and backup media
4. Technological Controls – 34 controls
   • These are concerned with information security technology, such as access rights and authentication

When I initially looked at this, I liked how it looked like how HIPAA was broken down into Administrative, Physical, and Technical. This simplification makes talking to non-security folk much easier, though of course, the very detailed controls are still in place.

Another big change is the inclusion of Attribute tables for each control. These are defined in Appendix A, but generally tell you if the control is preventative, detective, or corrective, does the control deal with Confidentiality, Integrity, or Availability, what Cybersecurity concepts it covers: Identify, Protect, Detect, Respond, or Recover. Oh hey, those are the NIST CSF functions!

Many of the controls from 2013 -> 2022 were merged where it made sense. When reviewing the changes to ISO 27002:2022, it became clear that controls that were previously “near” each other are moved all over the place. I decided to use Appendix B (included in the standard) to map out better where controls from ISO 27002:2013 were moved to in this latest version.

Additionally, I found that although no controls were dropped altogether, there were 11 new controls added, showing that the ISO 27002 framework continues to evolve and include current technologies and security concepts. These new controls are noted in table 1 below, and it is clear these are more recent security technologies.

For the most part, there is a “Many to 1” mapping. This means that each 2013 control maps into a single 2022 control. Sometimes multiple 2013 controls map into a single 2022 control as it combined similar concepts into a single control. This is the merging I referenced earlier. The map shows for each 2013 control where to find it in 2022, but also for each 2022 control which 2015 controls are included. I like to keep my policies very obviously aligned with the framework, so they are trivially auditable, and this map will help me re-use my 2013 documents.

This mapping is provided in the linked “ISO 27002 2013-2022 MAP (Annex B).xlsx” file. As we all move our tools and documentation from ISO 27002:2013 to ISO 27002:2022, hopefully the mapping will be useful to help guide you in this process and maybe shorten the time it takes you to migrate to the latest and greatest.

Table 1

­­